Jing-yi WANG,Tian-chen ZHU,Jia-wei KANG,Bo LI

DOI: https://doi.org/10.12783/dtcse/cmee2017/20039

2018-01-01

DEStech Transactions on Computer Science and Engineering

Abstract:Facing the increasingly serious security problems in ICS, how to classify and generate threat intelligence effectively is of great importance in improving the safety of industrial control systems, helping them identify security threats and making corresponding preventions. In this paper, according to the classification of security events in the threat intelligence platform, we classify ICS security topic texts as information leakage, security vulnerabilities, network security, security suggestions, invasion, malware, or security events. Based on the OpenIOC framework, automatically analysis on the massive ICS security data can be done to generate the corresponding IOC file and obtain threat intelligence.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.1109/mobhoc.2009.5336922

2009-01-01

Abstract:Collaboration enables domains to share resources effectively; however it introduces several security and privacy challenges. To guarantee the secure interoperation in complex distributed environment, a RBAC based secure interoperation model was proposed. Based on the inherent characteristic of the RBAC system, a directed acyclic graph based detection method of security violation was investigated. We also classified the conflicts according to the feature of each four parts of NITS RBAC model: conflicts resulting from unrelated roles, conflicts that arise from related roles and conflicts due to separation of duty. The targeted detection method for different types of conflicts was illustrated systematically. Therefore corresponding detection method can be applied to different types of conflicts according to the actual application environment. Furthermore, we analyzed the algorithmic complexity of the method and demonstrated the application of the directed acyclic graph based detection method with case studies in realistic scenarios.

Genghong Lu,Dongqin Feng

DOI: https://doi.org/10.23919/icif.2018.8455208

2018-01-01

Abstract:Due to the wide implementation of communication networks, industrial control systems are vulnerable to malicious attacks, which could cause potentially devastating results. Adversaries launch integrity attacks by injecting false data into systems to create fake events or cover up the plan of damaging the systems. In addition, the complexity and nonlinearity of control systems make it more difficult to detect attacks and defense it. Therefore, a novel security situation awareness framework based on particle filtering, which has good ability in estimating state for nonlinear systems, is proposed to provide an accuracy understanding of system situation. First, a system state estimation based on particle filtering is presented to estimate nodes state. Then, a voting scheme is introduced into hazard situation detection to identify the malicious nodes and a local estimator is constructed to estimate the actual system state by removing the identified malicious nodes. Finally, based on the estimated actual state, the actual measurements of the compromised nodes are predicted by using the situation prediction algorithm. At the end of this paper, a simulation of a continuous stirred tank is conducted to verify the efficiency of the proposed framework and algorithms.

Ying Liu,Dongqin Feng

DOI: https://doi.org/10.1109/iccasit48058.2019.8973161

2019-01-01

Abstract:Computer network technology has been increasingly infiltrated into the industrial control system and made the security problems more complex and changeable. Network security situation awareness technology can perceive the real-time threats that the network faced, and provide reliable basis for decision-making. This paper mainly focuses on the situation assessment and introduces finite state machine and fuzzy logic theory. Finite state machine can intuitively show the internal state transition of the industrial control system and detect the malicious packet attack's type and severity. Fuzzy logic balances the semantic fuzziness and event uncertainty in the process of situation assessment, fuses the output data of the state machine and obtains the threat level which is helpful for decision analysis. Proved, the method proposed in this paper can give a reasonable and accurate security assessment of industrial control system.

nitin v kanaskar,jiang bian,remzi seker,mais nijim,nuri yilmazer

DOI: https://doi.org/10.1109/SYSCON.2011.5929116

2011-01-01

Abstract:Insider attacks have the potential to inflict severe damage to an organizations reputation, intellectual property and financial assets. The primary difference between the external intrusions and the insider intrusions is that an insider wields power of knowledge about the information system resources, their environment, policies. We present an approach to detecting abnormal behavior of an insider by applying Dynamical System Theory to the insiders computer usage pattern. This is because abnormal system usage pattern is one of the necessary precursors to actual execution of an attack. A base profile of system usage pattern for an insider is created via applying dynamical system theory measures. A continuous monitoring of the insiders system usage and its comparison with this base profile is performed to identify considerable deviations. A sample system usage in terms of application system calls is collected, analyzed, and graphical results of the analysis are presented. Our results indicate that dynamical system theory has the potential of detecting suspicious insider behavior occurring prior to the actual attack execution.

Guangyu Qian,Jinyuan Li,Wei He,Wei Zhang,You Cao

DOI: https://doi.org/10.1007/s10207-024-00845-9

2024-04-28

International Journal of Information Security

Abstract:Intrusion detection in industrial control systems (ICS) is crucial for maintaining the security of physical information systems. However, the existing models predominantly rely on black-box approaches, which exhibit limitations in result credibility and the ability to adapt to complex and dynamic environments. Consequently, this paper proposes an online updatable extended belief rule base model (O-EBRB) for intrusion detection in ICS. Firstly, an industrial intrusion detection model rooted in the extended belief rule base (EBRB) is established. This model excels in concurrently processing both quantitative and qualitative data, ensuring the reliability of its outcomes. Subsequently, a novel domain-based rule update methodology for integrating new observation data is proposed. By incorporating or merging fresh data into the original model, it enhances the model's adaptability in dynamic settings. Finally, employing the domain-based rule weight calculation approach, the model continues to effectively compute model parameters even with the continuous expansion of rules. Through extensive experimentation on two real-world industrial intrusion detection datasets, the results demonstrate the effectiveness of the proposed model in handling information and its robust performance in dynamic environments.

computer science, information systems, theory & methods, software engineering

Haiyong Bao,Rongxing Lu,Beibei Li,Ruilong Deng

DOI: https://doi.org/10.1109/jiot.2015.2459049

IF: 10.6

2016-01-01

IEEE Internet of Things Journal

Abstract:In this paper, we propose a behavior rule-based methodology for insider threat (BLITHE) detection of data monitor devices in smart grid, where the continuity and accuracy of operations are of vital importance. Based on the dc power flow model and state estimation model, three behavior rules are extracted to depict the behavior norms of each device, such that a device (trustee) that is being monitored on its behavior can be easily checked on the deviation from the behavior specification. Specifically, a rule-weight and compliance-distance-based grading strategy is designed, which greatly improves the effectiveness of the traditional grading strategy for evaluation of trustees. The statistical property, i.e., the mathematical expectation of compliance degree of each trustee, is particularly analyzed from both theoretical and practical perspectives, which achieves satisfactory tradeoff between detection accuracy and false alarms to detect more sophisticated and hidden attackers. In addition, based on real data run in POWER WORLD for IEEE benchmark power systems, and through comparative analysis, we demonstrate that BLITHE outperforms the state of arts for detecting abnormal behaviors in pervasive smart grid applications.

Dongming Sun,Liang Hu,Gang Wu,Yongheng Xing,Juncheng Hu,Feng Wang

DOI: https://doi.org/10.1109/jiot.2024.3362950

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:The increased utilization of Trigger-Action Programming (TAP) rules in smart homes has raised concerns regarding potential security threats in the interactions between smart digital devices/online services (DD/OS) and the physical environment. To ensure the secure use of intelligent and convenient infrastructure for users, we introduce an approach aimed at detecting potential security threats. In this paper, we propose IoT security threat models and categorize the threats into Risky DD/OS with Physical Security, Contradictory Operation of DD/OS and Environmental Impact Conflict. To effectively detect security threats, we construct an Internet of Things-Heterogeneous Information Networks (IoT-HIN) and enhance it with a knowledge base tool, transforming it into a knowledge-based IoT-HIN. We establish meta-paths to conduct analysis of events triggered by rules, and a threat detection algorithm is proposed to identify potential security threats and determine the rules leading to these threats. The proposed approach is validated using a real-world dataset, and the experimental results demonstrate its efficiency and practicality. Furthermore, a comparative analysis with similar works is conducted to highlight the superiority of our proposed approach.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xueyuan Wen,Kaiyan Dai,Qi Xiong,Lili Chen,Jian Zhang,Zhen Wang

DOI: https://doi.org/10.1016/j.jisa.2023.103557

IF: 4.96

2023-08-19

Journal of Information Security and Applications

Abstract:Years into the insider threat, it remains an universal challenge to predict and defend. Concerning this problem, there has been a multitude of solutions, including the detection of sentiment fluctuations of an entity to predict its abnormality degree. Previous research solely focus on the analysis of individual anomalies, but ignore the sociality of individual sentiments. Therefore, in this paper, we propose an approach to internal threats detection based on sentiment and network analysis. Above all, we use Natural Language ToolKit (NLTK) to analyze the sentiment of each preprocessed email, and thus we establish sentiment communication network. The graphs are reconstructed into series and reshaped as matrices. By the singular value decomposition (SVD), the matrix is decomposed into base networks, and we analyze the change in importance of important base networks over time to detect the company's internal conditions. When anomalies occur, we establish combination networks which consist of base networks and can represent the abnormal character patterns of this time. Then compare the eigenvector centrality of both combination networks and total network to identify the employees related to this anomaly. The experiment shows that it can locate the anomaly-related employees accurately, and according to the network graph, the top few of anomaly-related employees are associated in group internal threats. Our approach provides the anomaly-related rank of employees and the abnormal character pattern of the sentiment communication network at the moment of anomaly.

computer science, information systems

Yawen Xue,Jie Pan,Yangyang Geng,Zeyu Yang,Mengxiang Liu,Ruilong Deng

DOI: https://doi.org/10.1109/ticps.2024.3406505

2024-01-01

Abstract:Industrial control systems (ICSs) are becoming increasingly interconnected as the rapid convergence of information technology (IT) and operation technology (OT) networks, and meanwhile massive attack surfaces have been exposed. However, traditional intrusion detection systems (IDSs) are difficult to be directly deployed in ICSs due to the hard real-time requirement and rare patching chance. Besides, the design of effective and practical IDSs is hampered by the lack of benchmarking ICS cybersecurity datasets. To bridge the gaps, this paper makes the first attempt by open-sourcing the developed ICS cybersecurity datasets and proposing a decision fusion based real-time IDS. Firstly, we design a customized cybersecurity dataset in a full-hardware and high-fidelity platform, including 7 types of cyber threats tailored for ICSs. The collected dataset includes network traffic, sensor readings, actuator status, and system parameters, providing the state-of-the-art benchmark dataset for ICSs consisting of cross-layer characteristics. Furthermore, we design an online decision fusion-based IDS by strategically integrating 4 widely-used machine learning models. The proposed IDS is deployed on a real-time running ethanol distillation, surpassing the performance of single detection models in terms of precision and F1-score, which substantially enhances intrusion detection accuracy and cybersecurity of ICS.

Taolue Chen,Tingting Han,Florian Kammueller,Ibrahim Nemli,Christian W. Probst

DOI: https://doi.org/10.1109/cybersecpods.2016.7502350

2016-01-01

Abstract:In order to detect malicious insider attacks it is important to model and analyse infrastructures and policies of organisations and the insiders acting within them. We extend formal approaches that allow modelling such scenarios by quantitative aspects to enable a precise analysis of security designs. Our framework enables evaluating the risks of an insider attack to happen quantitatively. The framework first identifies an insider's intention to perform an inside attack, using Bayesian networks, and in a second phase computes the probability of success for an inside attack by this actor, using probabilistic model checking. We provide prototype tool support using Matlab for Bayesian networks and PRISM for the analysis of Markov decision processes, and validate the framework with case studies.

Qi Ao

DOI: https://doi.org/10.1109/dsa51864.2020.00028

2020-11-01

Abstract:In the last decade, the industrial field has suffered from a large number of attacks, which are diverse and difficult to detect. Aiming at the stealthy attacks suffered by industrial control systems, this paper processed an intrusion detection method oriented to industrial control process. The method focused on the change in the state of the controlled physical system, and under the premise that the alarm mechanism cannot detect the attack, it abstracted the intrusion detection into the optimization stopping of the detection of the state of the controlled system. Through adaptive optimization of the reference value in the non-parametric cumulative sum (CUSUM) algorithm, the detection delay of the industrial control process is further shortened. Simulation experiments show that this method can detect the tampering of the sensor observation data by the attacker in time, and effectively avoid the physical damage of the controlled system.

Amod Pandit,R Joe Stanley,Bruce McMillin

Abstract:Intrusion detection systems (IDS) attempt to address the vulnerability of computer-based systems for abuse by insiders and to penetration by outsiders. An IDS is required to examine an enormous amount of data generated by computer networks to assist in the abuse detection process. Thus, there is a need to develop automated tools that address these requirements to assist system operators in the detection of violations of existing security policies. In this research, an automated IDS is proposed for insider threats in a distributed system. The proposed IDS functions as an anomaly detector for insider system operations based on the analysis of the system's log files. The approach integrates dynamic programming and adaptive resonance theory (ART1) clustering. The integrated approach aligns sequences of log events with prototypical sequences of events for performing tasks and classifies the aligned sequences for intrusion detection. The system examined for this research is a Boots System for controlling the movement of boots from one place to another under specific security restrictions related to the boot orders. We present the proposed model, the results achieved and the analysis of an implemented prototype.

Zeyu Yang,Liang He,Hua Yu,Chengcheng Zhao,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/jiot.2022.3164723

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Programmable logic controllers (PLCs), i.e., the core of control systems, are well-known to be vulnerable to a variety of cyber attacks. To mitigate this issue, we design PLC-Sleuth, a novel noninvasive intrusion detection/localization system for PLCs, which is built on a set of control invariants—i.e., the correlations between sensor readings and the concomitantly triggered PLC commands—that exist pervasively in all control systems. Specifically, taking the system's supervisory control and data acquisition log as input, PLC-Sleuth abstracts/identifies the system's control invariants as a control graph using data-driven structure learning, and then monitors the weights of graph edges to detect anomalies thereof, which is in turn, a sign of intrusion. We have implemented and evaluated PLC-Sleuth using both a platform of ethanol distillation system (EDS) and a realistically simulated Tennessee Eastman (TE) process. The results show that PLC-Sleuth can: 1) identify control invariants with 100%/98.11% accuracy for EDS/TE; 2) detect PLC intrusions with 98.33%/0.85 ‰ true/false positives (TPs/FPs) for EDS and 100%/0% TP/FP for TE; and 3) localize intrusions with 93.22%/96.76% accuracy for EDS/TE.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xuelei Wang,Colin Fidge,Ghavameddin Nourbakhsh,Ernest Foo,Zahra Jadidi,Calvin Li

DOI: https://doi.org/10.1109/access.2022.3142022

IF: 3.9

2022-01-01

IEEE Access

Abstract:In recent decades, cyber security issues in IEC 61850-compliant substation automation systems (SASs) have become growing concerns. Many researchers have developed various strategies to detect malicious behaviours of SASs during the system operational stage, such as anomaly-based detection. However, most existing anomaly-based detection methods identify an abnormal behaviour by checking every single network packet without any association. These traditional methods cannot effectively detect “stealthy” attacks which modify legitimate messages slightly while imitating patterns of benign behaviours. In this paper, we present feature selection and extraction methods to generalise and summarise critical features when detecting insider attacks triggering from untrusted control devices within SASs. By applying a sliding window-based sequential classification mechanism, our detection method can detect anomalies across multiple devices without the need to learn datasets collected from all devices. Firstly, to generalise critical features and summarise systems’ behaviours so that it is unnecessary to collect all datasets, we selected and extracted six critical network features from generic object-oriented substation events (GOOSE) messages and seven summarised physical features based on the general architecture of the primary plant of distribution substations. After that, to improve detection accuracy and reduce computational costs, we applied sliding window algorithms to divide datasets into different overlapped window-based snippets. Then we applied a sequential classification model based on Bidirectional Long Short-Term Memory networks to train and test those datasets. As a result, our method can detect insider attacks across multiple devices accurately with a false-negative rate of less than 1%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.20944/preprints201912.0174.v1

2019-01-01

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanism. A modified intrusion detection system (IDS), which is strongly correlated to specific industrial scenario, is necessary for modern ICS. On the one hand, this paper outlines attack models, including infiltration attacks and our creative forging attack. On the other hand, we proposes a hierarchical IDS, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on autoregressive integrated moving average (ARIMA), can forecast the traffic of ICS network in the short term and precisely detect the infiltration attacks according to abnormal changes in traffic pattern. The anomaly detection model using one-class support vector machine (OCSVM) is able to detect malicious control instructions by analyzing the key field in EtherNet/IP packets. The experimental results show that the hierarchical IDS has an outstanding performance in detecting infiltration attacks and forging attack compared with other two innovative IDSs.

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.3390/electronics8121545

IF: 2.9

2019-01-01

Electronics

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanisms. An improved intrusion detection system (IDS), which is strongly correlated to specific industrial scenarios, is necessary for modern ICS. On one hand, this paper outlines three kinds of attack models, including infiltration attacks, creative forging attacks, and false data injection attacks. On the other hand, a two stage IDS is proposed, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on the autoregressive integrated moving average (ARIMA), can forecast the traffic of the ICS network in the short term and detect infiltration attacks precisely according to the abnormal changes in traffic patterns. Furthermore, the anomaly detection model, using a one class support vector machine (OCSVM), is able to detect malicious control instructions by analyzing the key field in Ethernet/IP packets. The confusion matrix is selected to testify to the effectiveness of the proposed method, and two other innovative IDSs are used for comparison. The experiment results show that the proposed two stage IDS in this paper has an outstanding performance in detecting infiltration attacks, forging attacks, and false data injection attacks compared with other IDSs.

Zhang Xiaojun,Li Yingcai,Zhang Fuqiang,Zhang Qian,Han Li

DOI: https://doi.org/10.1145/3469213.3471388

2021-05-28

Abstract:With the continuous development of network technology, global informatization has become a reality. While the openness and interconnection of IP network protocols bring convenience to data communication, it also provides space for network intruders to enter the void. In particular, the terminal system design is fragile, the software running on the terminal is becoming more and more complicated, and its various components are interdependent, and vulnerabilities are prone to occur in the process of development and maintenance. 0day vulnerabilities emerge endlessly, and static protection methods have exposed deficiencies.

Haowei Liu

DOI: https://doi.org/10.1088/1742-6596/1994/1/012021

2021-08-01

Journal of Physics: Conference Series

Abstract:Abstract Under the background of “digital new era”, the trend of network environment diversification and personnel technical requirements complexity is becoming more and more intense. After the “Prism Gate” incident was exposed, the public began to think deeply about insider security. At present, most organizations adopt security information and event management (SIEM) security policies and the rules to carry out insider security detection. However, with the surge of insider information data, the number of false alarms and false alarms due to the lack of context increases, which consumes a lot of time and human and material resources. Based on these problems, it is particularly important to develop a new insider safety inspection system and tools. This work proposes to develop an insider threat detection system based on the security strategy of user and entity behavior analysis to realize the detection and analysis of insider threat with high precision. The main work is as follows:This work abandons the traditional SIEM combined rules to determine the anomaly, but adopts the detection strategy of User and Entity Behavior Analysis (UEBA).This work proposes an improved LSTM-GaN insider threat detection algorithm.

Vegard Berge,Chunlei Li

2024-10-26

Abstract:Traditional intrusion detection systems (IDSs) often rely on either network traffic or process data, but this single-source approach may miss complex attack patterns that span multiple layers within industrial control systems (ICSs) or persistent threats that target different layers of operational technology systems. This study investigates whether combining both network and process data can improve attack detection in ICSs environments. Leveraging the SWaT dataset, we evaluate various machine learning models on individual and combined data sources. Our findings suggest that integrating network traffic with operational process data can enhance detection capabilities, evidenced by improved recall rates for cyber attack classification. Serving as a proof-of-concept within a limited testing environment, this research explores the feasibility of advancing intrusion detection through a multi-source data approach in ICSs. Although the results are promising, they are preliminary and highlight the need for further studies across diverse datasets and refined methodologies.

Cryptography and Security